Chip & Pin fraud- Please help!

central

Hey you guys are great detectives - well done, OP exposed I think.

Alex_LS

ElkyElky wrote: »

I assumed the terminal can decrypt it to check the pin entered matches the card?

No. All the terminal does is send the PIN to the card for verification. It's the card that tells the terminal if the PIN's correct.

Paul_Herring

Alex_LS wrote: »

No. All the terminal does is send the PIN to the card for verification. It's the card that tells the terminal if the PIN's correct.

A web search for ["yes card" chip pin] would show why this method is somewhat broken if the bank isn't actually contacted for verification.

Alex_LS

Paul_Herring wrote: »

A web search for ["yes card" chip pin] would show why this method is somewhat broken if the bank isn't actually contacted for verification.

And a quick read about Dynamic Data Authentication (and CDA) will show the solution to this. The fact that comms costs have significantly reduced in the last few years has led to most UK transactions actually going online anyway, so SDA hasn't been too much of an issue so far and from 1/1/10, no offline-capable cards supporting SDA will be issued in Europe.

socrates

Alex_LS wrote: »

from 1/1/10, no offline-capable cards supporting SDA will be issued in Europe.

So what does that mean? (in English please)

Alex_LS

Over the next 18 months, cards with stronger security measures will be phased in. It will no longer be possible to create 'yes' cards by copying information from a genuine card. (But bear in mind that, due to expected lifetimes of cards, there may well be the older type of cards in use until 2014). Basically, unless someone cracks the encryption keys themselves, a chip transaction will have to have been performed using the genuine card.

Creating 'cloned' mag stripe cards will still be possible and this type of fraud will not be eradicated whilst there are still ATMs in the world that don't support Chip&PIN. That's not to say that other anti-fraud and monitoring measures can/will not be employed by the banks to reduce it further.

socrates

Alex_LS wrote: »

Over the next 18 months, cards with stronger security measures will be phased in. It will no longer be possible to create 'yes' cards by copying information from a genuine card. (But bear in mind that, due to expected lifetimes of cards, there may well be the older type of cards in use until 2014). Basically, unless someone cracks the encryption keys themselves, a chip transaction will have to have been performed using the genuine card.

Creating 'cloned' mag stripe cards will still be possible and this type of fraud will not be eradicated whilst there are still ATMs in the world that don't support Chip&PIN. That's not to say that other anti-fraud and monitoring measures can/will not be employed by the banks to reduce it further.

Appreciate that answer.

So basically the mag strip will continue - I understand that bit.

However what is currently being done with the 'yes' cards in terms of what type of fraud is being carried out.

Alex_LS

That's the point you made above. There's no evidence to suggest this attack has been performed so far.

socrates

Alex_LS wrote: »

That's the point you made above. There's no evidence to suggest this attack has been performed so far.

So why are they making them stronger - what are they protecting them against?

Something must be going on that they are not saying

Paul_Herring

So why are they making them stronger - what are they protecting them against?

Their own liability to pay/refund money if the security fails I think.

They've already make chip'n'pin easier to 'crack' merely through the technologically advanced method of shoulder surfing - specifically when the only time you needed it was to withdraw money from a cash point, it was something most were aware of.

Now that you need to enter your PIN for the most mundane purchases multiple times per day people are less conscious of the fact it may happen.